The LockBit ransomware operation is making strategic moves by recruiting affiliates and developers from the troubled BlackCat/ALPHV and NoEscape ransomware operations. The recent disruptions and exit scams within NoEscape and BlackCat/ALPHV have created an opportune moment for LockBit to expand its network. The abrupt inaccessibility of NoEscape and BlackCat/ALPHV Tor websites, coupled with allegations of exit scams and stolen ransom payments, has left affiliates associated with these groups in disarray. While the exact reasons for the disruptions are unclear, speculation includes law enforcement involvement, hardware failures, and internal issues.
In response to the chaos surrounding BlackCat and NoEscape, LockBitSupp, the manager of LockBit, has taken to Russian-speaking hacking forums to actively recruit affiliates. LockBitSupp offers an enticing proposition, suggesting that affiliates with backups of stolen data can leverage LockBit’s data leak site and negotiation panel to continue extorting victims. Moreover, LockBitSupp is seeking to recruit the coder responsible for the ALPHV encryptor. The affiliation between LockBit and the distressed ransomware groups is still uncertain, but there are reports of a victim previously targeted by BlackCat now appearing on LockBit’s data leak site.
This development underscores the dynamic nature of the ransomware landscape, where groups face disruptions, rebranding, and, in some cases, shifting affiliations. The ransomware ecosystem continues to evolve, and the actions of groups like LockBit, leveraging the vulnerabilities and disruptions of others, highlight the adaptability and opportunism inherent in these malicious operations. The situation also raises questions about the trustworthiness of ransomware groups like BlackCat and NoEscape, potentially leading to further rebranding and restructuring in the ever-evolving threat landscape.
